GDPR

DonorPerfect supports your needs to track and manage the GDPR requirements for donor data and communication preferences. Features within DonorPerfect can be used with your own internal processes and other 3rd party tools to create a GDPR compliant solution for your organization. You should contact your legal resources to see how GDPR affects you and your constituents. We will continue to monitor developments related to GDPR and make continued changes to the product suite as necessary.

Please note this resource is only a brief overview of the GDPR, and is only intended to be a summary of how leading experts have suggested to prepare for the advent of the GDPR and the Enforcement Date. It is not intended to be a comprehensive analysis of the GDPR or how it might specifically relate to your organisation. Organisations should consult with their legal counsel on all GDPR issues.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) broadly covers information relating to an identified or identifiable natural person of the European Union. As a result of the broadly written language of the GDPR, the implications of the GDPR are far reaching.

DonorPerfect supports your needs to track and manage the GDPR requirements for donor data and communication preferences. Features within DonorPerfect can be used with your own internal processes and other 3rd party tools to create a GDPR compliant solution for your organisation. You should contact your legal counsel to see how GDPR affects you and your constituents. We will continue to monitor developments related to GDPR and make continued changes to the product suite as necessary.

Understanding Controller Vs. Processor

An organisation’s obligations under the GDPR depend on whether the company is a “controller” or “processor”. A controller is a company that determines the purposes and means of processing personal data, while a processor is a company that processes personal data on behalf of a controller. In some instances a company may act as both a controller and a processor with respect to different aspects of the same transaction. DonorPerfect is considered a processor, and organisations who use DonorPerfect are considered a controller.

Data Subject Rights

The major data subject rights of EU individuals that are protected under the GDPR are:

Breach Notification

Right to Access

Right To Be Forgotten and Rectification

Data Portability

Privacy By Design

Below is more detail and how DonorPerfect is handling each element

Breach Notification – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or processed. Generally, a controller must notify the relevant supervisory authority of any data breach that is likely to result in a risk to any EU individual’s privacy rights within 72 hours of becoming aware of such a data breach. Additionally, any processor which experiences or is aware of any such data breach must notify the controller of the data breach without undue delay.

If the data breach has a high risk to an EU individual’s privacy rights,the controller must also notify the affected individual, unless : (i) the relevant data that is the subject of the breach is adequately protected, (ii) following the breach the controller has taken adequate measures to ensure that the resulting high risk is no longer likely to be a concern, or (iii) notification of the individual data subjects would be disproportionately prohibitive (in which case a public notification would be required)

How DonorPerfect Is Handling This – DonorPerfect will alert you, our customer, if a defined breach occurs as outlined in the regulation. Furthermore, if the data breach has a high risk to an EU individual’s privacy rights, we will notify the individual unless one of the three exceptions occur as outlined in the regulation.

Right to Access – EU individuals have the right to request a controller to confirm whether the individual’s personal data is processed, including where and for what purpose it is being processed. They also have the right to receive, free of charge, a copy of the personal data from the controller in an electronic format.

How DonorPerfect Is Handling This – As a controller, you can easily copy personal data from within DonorPerfect and send it to the individual electronically through our export file functionality and standard reports.

Right to be Forgotten (Data Erasure) and Rectification – EU individuals have the right to require a controller to erase his or her personal data, cease further dissemination of the personal data and potentially restrict the ability of third parties to process the personal data. This also includes the right for the individual to correct inaccurate personal data.

How DonorPerfect Is Handling This – DonorPerfect allows the deletion of records from our software, and as a controller you can delete records on your own within the DonorPerfect software from the search screen. These records are physically deleted from the underlying database. However, it is still up to you to ensure that other copies of the individual’s record are deleted, and this includes user initiated backups of your data. Controllers should ensure that all previous backups that have been created are overwritten to make sure the individual’s record is truly erased.

As a processor and global data center provider, DonorPerfect has redundant backup systems in place that automatically erase these deleted records after 30 days.

Data Portability – EU individuals have the right to request that a controller transfer their personal data to another controller

How DonorPerfect Is Handling This – As a controller, you can easily copy personal data from within DonorPerfect and send it to other controllers through our export file functionality and standard reports.

Privacy By Design – While this is a concept that has existed for years in the EU, under GDPR, controllers are now required to (i) implement appropriate technical and organizational measures to implement data protection principles and (ii) integrate necessary safeguards into the processing in order to meet the GDPR requirements. These actions are required both at the time the need of the processing is determined and at the time of the processing itself.

How DonorPerfect Is Handling This – DonorPerfect and the DonorPerfect Online Forms applications allow for donors to opt/in out of communication channels such as phone, post mail and email. This allows your constituents to easily, and explicitly, OPT-IN or OPT-OUT of communications and keeps a running tally of these updates for each constituent. As a controller you will need to make sure you track these interactions correctly in DonorPerfect, as well as have policies and procedures in place to ensure that individual’s privacy preferences are respected when you conduct marketing and/or communication campaigns.

GDPR Derogations

The GDPR has identified a number of derogations, or exemptions, where the failure of the controller or processor to comply with GDPR will not result in sanctions, or will result in reduced sanctions. These delegations include the following:

The individual has explicitly consented. However, the GDPR has made consent a very limited exception, and one not to be widely relied upon. Under the GDPR, consent must be clearly and expressly given and must be as easy for the individual to withdraw as it was to give. As noted above, DonorPerfect allows for this consent to be made and stored within DonorPerfect. Should the individual wish to alter communication references, this can be transmitted via the completion of a second online form to denote this change, and as a controller, you should make the this form readily available.

The information is necessary for the performance of a contract, a) between the individual and the organization, or b) made in the interests of the individual between the controller and another person.

The information is necessary for important reasons of public interest or to establish, exercise, or defend legal claims.

A controller’s legitimate interest. In applying this exception, importance of the controller’s legitimate interest is weighed against the individual’s privacy right in the personal data

Conclusion

Organisation’s will need to put in place data breach incident management plans, develop plans for how to respond to requests from EU individuals respecting the data subject rights granted under GDPR and update their controller/processor contracts to comply with the requirements of GDPR. It is important to put these plans in place well in advance of a data breach or a data access, data erasure, or other similar request permitted under the GDPR. Also, it will be helpful to make a record of any internal determinations that are made with respect to GDPR (i.e whether the company determines it is acting as a controller or processor)

DonorPerfect as a Controller for our EU and UK Prospects/Customers

For our EU and UK clients, DonorPerfect also acts as a controller of your information. We have established policies and procedures to address the GDPR requirements as they relate to your interactions with us.

The major data subject rights of EU individuals that are protected under the GDPR are:

Breach Notification

Right to Access

Right To Be Forgotten and Rectification

Data Portability

Privacy By Design

Below is more detail and how DonorPerfect is handling each element

Breach Notification – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or processed. Generally, a controller must notify the relevant supervisory authority of any data breach that is likely to result in a risk to any EU individual’s privacy rights within 72 hours of becoming aware of such a data breach. Additionally, any processor which experiences or is aware of any such data breach must notify the controller of the data breach without undue delay.

If the data breach has a high risk to an EU individual’s privacy rights,the controller must also notify the affected individual, unless : (i) the relevant data that is the subject of the breach is adequately protected, (ii) following the breach the controller has taken adequate measures to ensure that the resulting high risk is no longer likely to be a concern, or (iii) notification of the individual data subjects would be disproportionately prohibitive (in which case a public notification would be required)

How DonorPerfect Is Handling This – DonorPerfect will alert you, our customer, if a defined breach occurs of your personal information as outlined in the regulation.

Right to Access – EU individuals have the right to request a controller to confirm whether the individual’s personal data is processed, including where and for what purpose it is being processed. They also have the right to receive, free of charge, a copy of the personal data from the controller in an electronic format.

How DonorPerfect Is Handling This – Please see our Terms of Service for additional information on how we handle your data. If you would like to learn more how your data is being used, or would like a copy of your personal data free of charge, please send your request to legal@donorperfect.com.

Right to be Forgotten (Data Erasure) and Rectification – EU individuals have the right to require a controller to erase his or her personal data, cease further dissemination of the personal data and potentially restrict the ability of third parties to process the personal data. This also includes the right for the individual to correct inaccurate personal data.

How DonorPerfect Is Handling This – If you would like to be removed from our internal marketing and sales databases or correct any inaccurate personal data, simply send a request to legal@donorperfect.com and we will honor your request.

Data Portability – EU individuals have the right to request that a controller transfer their personal data to another controller

How DonorPerfect Is Handling This – If you would like your information transferred to another controller, simply send a request with the details to legal@donorperfect.com.

Privacy By Design – While this is a concept that has existed for years in the EU, under GDPR, controllers are now required to (i) implement appropriate technical and organizational measures to implement data protection principles and (ii) integrate necessary safeguards into the processing in order to meet the GDPR requirements. These actions are required both at the time the need of the processing is determined and at the time of the processing itself.